Sudo File Configuration Examples for Oracle Environments
Delphix Administration / Oracle Environments and Data Sources / Oracle Support and Requirements / Sudo File Configuration Examples for Oracle Environments

This topic provides sample sudo file privilege configurations for using the Delphix Engine with various operating systems and the Oracle RDBMS. 

Note

Delphix requires that the requiretty setting be disabled for all Delphix users with sudo privileges.

Configuring sudo Access on Solaris SPARC for Oracle Source and Target Environments

Sudo access to pargs on the Solaris operating system is required for the detection of listeners with non-standard configurations on both source and target environments. Super-user access level is needed to determine the TNS_ADMIN environment variable of the user running the listener (typically oracle, the installation owner). From TNS_ADMIN, the Delphix OS user delphix_os can derive connection parameters.


Example: Solaris /etc/sudoers entries for a Delphix Source

Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD:/usr/bin/pargs


On a Solaris target, sudo access to mount and umount is also required. 

Example: Solaris /etc/sudoers entries for a Delphix Target

# Delphix issues sudo -l so we need to allow it via listpw. Never set it to always when using public key authentication
Defaults      listpw=all
 
User_Alias DELPHIX_USER=delphix_os 
 
Cmnd_Alias DELPHIX_CMDS= \
/usr/sbin/mount, \
/usr/sbin/umount, \
/usr/bin/pargs 

DELPHIX_USER ALL=(ALL) NOPASSWD: DELPHIX_CMDS

Configuring sudo Access on Linux for Oracle Source and Target Environments

Sudo access to ps on the Linux operating system is required for the detection of listeners with non-standard configurations on both source and target environments. Super-user access level is needed to determine the TNS_ADMIN environment variable of the user running the listener (typically oracle, the installation owner). From TNS_ADMIN, the Delphix OS user delphix_os can derive connection parameters. 


Example: Linux /etc/sudoers entries for a Delphix Source

Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD:/bin/ps


On a Linux target, sudo access to mount and umount is also required. 

Example: Linux /etc/sudoers file for a Delphix Target

Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: \ 
/bin/mount, /bin/umount, /bin/ps
 

Configuring sudo Access on AIX for Oracle Source and Target Environments

Sudo access to ps on the AIX operating system is required for the detection of listeners with non-standard configurations on both source and target environments. Super-user access level is needed to determine the TNS_ADMIN environment variable of the user running the listener (typically oracle, the installation owner). From TNS_ADMIN, the Delphix OS user delphix_os can derive connection parameters. 

Example: AIX /etc/sudoers entries for a Delphix Source

Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD:/bin/ps

In addition to sudo access to the mountumount, and ps commands on AIX target hosts, Delphix also requires sudo access to nfso. This is required on target hosts for the Delphix Engine to monitor the NFS read write sizes configured on the AIX system. Super-user access level is needed to run the nfso command.

Example: AIX /etc/sudoers File for a Delphix Target

Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: \
/usr/sbin/mount, \
/usr/sbin/umount, \
/usr/sbin/nfso, \
/usr/bin/ps

Configuring sudo  Access on HP-UX for Oracle Source and Target Environments

No sudo privileges are required on source environments running HP-UX. The HP-UX OS does not allow the delphix_os user to determine the TNS_ADMIN environment variable setting for the oracle user. This means that the Delphix Engine cannot auto-discover non-standard listener configurations with non-default TNS_ADMIN settings.

On the HP-UX target, sudo access to mount and umount is required as with other operating systems.

Example: HP-UX /etc/sudoers file for a Delphix Target

Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD:/sbin/mount, /sbin/umount

Examples of Limiting sudo Access for the Delphix OS User 

In situations where security requirements prohibit giving the Delphix user root privileges to mount, unmount, make directory, and remove directory on the global level, it is possible to configure the sudoers file to provide these privileges only on specific mount points or from specific Delphix Engines, as shown in these two examples.

The Delphix Engine tests its ability to run the mount command using sudo on the target environment by issuing the sudo mount command with no arguments. Many of the examples shown in this topic do not allow that. This causes a warning during environment discovery and monitoring, but otherwise does not cause a problem. If your VDB operations succeed, it is safe to Ignore this warning.

Similarly, the ps or pargs command is used for target environment operations such as initial discovery and refresh. The most restrictive sudo setups might not allow the commands ps (pargs). Delphix can still function without these privileges, although auto-discovery may not work.

However, some users configure the security on the target environments to monitor sudo failures and lock out the offending account after some threshold. In those situations, the failure of the sudo commands might cause the delphix_os account to become locked. One work-around for this situation is to increase the threshold for locking out the user account. Another option is to modify /etc/sudoers to permit the delphix_os user to run ps (pargs), and mount command without parameters.


Example 1

This example restricts the delphix_os user's use of sudo privileges to the directory /oracle.

Note that wildcards are allowed for the options on mount and umount because those commands expect a fixed number of arguments after the options. The option wildcard on the mount command also makes it possible to specify the file-system being mounted from the Delphix Engine.

Delphix requires umount -lf for emergency force unmounts on Linux.  For other Unix OSes, Delphix requires umount -f.

Example /etc/sudoers File Configuration on the Target Environment for sudo Privileges on the VDB Mount Directory Only (Linux OS)

Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount  *        /oracle/*, \
/bin/umount *        /oracle/*, \
/bin/umount          /oracle/*, \
/bin/umount -lf      /oracle/*, \
/bin/ps

Example /etc/sudoers File Configuration on the Source Environment to grant Super-User privileges when running PS

Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: /bin/ps

Example 2

This example restricts the delphix_os user's use of sudo privileges to the directory /oracle, restricts the mount commands to a specific Delphix Engine hostname and IP, and does not allow user-specified options for the umount command.

Delphix requires umount -lf for emergency force unmounts on Linux.  For other Unix OSes, Delphix requires umount -f.

This configuration is more secure, but there is a tradeoff with deployment simplicity.  This approach would require a different sudo configuration for targets configured for different Delphix Engines.

A Second Example of Configuring the /etc/sudoers File on the Target Environment for Privileges on the VDB Mount Directory Only (Linux OS)

Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount           <delphix-server-name>* /oracle/*, \
/bin/mount *         <delphix-server-name>* /oracle/*, \
/bin/mount           <delphix-server-ip>*   /oracle/*, \
/bin/mount *         <delphix-server-ip>*   /oracle/*, \
/bin/mount "", \
/bin/umount          /oracle/*, \
/bin/umount *        /oracle/*, \
/bin/umount -lf      /oracle/*, \
/bin/ps

Example 3

This example restricts the delphix_os user account's use of sudo privileges in many dimensions...

  • restricts the mount and umount commands only to the subdirectories under the directory /oracle
  • restricts the mount command only to a specific Delphix virtualization engine IP address
  • restricts the option and object syntax used in the mount and umount commands

So this example will absolutely secure any usage of the mount command to the precise syntax used by the Delphix virtualization engine, but these same precise syntax restrictions will also make these sudo specifications potentially incompatible with the syntax used by future Delphix virtualization engine versions.  When necessary, Delphix will update this documentation for new versions, but you must update your sudo specifications compliant prior to deploying the future version of Delphix.  There are obvious tradeoffs between security and deployment simplicity, as each sudo specification will be customized for each server.

In the example shown below, the name of the delphix_os user account is "delphix_os", the IP address of the Delphix virtualization engine is 10.20.30.40, and the base mount-point directory is "/oracle".

A Third Example of Configuring the /etc/sudoers File on the Target Environment for Privileges on the VDB Mount Directory Only (Linux OS)

Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: \
/bin/mount "", \
/bin/mount -o nosuid,tcp,vers=3 10.20.30.40* /oracle/*, \
/bin/mount -t nfs -o rw,bg,hard,rsize=1048576,wsize=1048576,vers=3,nointr,timeo=600,tcp,nosuid,noacl,port=2049 10.20.30.40* /oracle/*, \
/bin/mount -t nfs -o rw,bg,hard,rsize=1048576,wsize=1048576,vers=3,nointr,timeo=600,tcp,nosuid,noacl,actimeo=0,port=2049 10.20.30.40* /oracle/*, \
/bin/umount /oracle/*, \
/bin/umount -lf /oracle/*, \
/bin/ps

Related Links